Secrets, Secrets Are No Fun: Hacking and the First Amendment

Remember the movie Hackers?  In one of Angelina Jolie’s earliest film roles, she portrays an underground computer hacker, a.k.a. “Acid Burn,” with a (micro)chip on her shoulder and a penchant for creating chaos.  The year is 1995, and the internet is just coming of age.  She and her grungy troupe of Jolt-drinking, Cheeto-scarfing computer hackers combine forces to take down a company’s servers.  Basic message: hackers are subversive (and maybe a little dorky).  Fast-forward to 2008, and the public image of so-called hackers is not much better.

This August, students at MIT – as part of a class project – identified a major security defect in the fare card software for the ‘T,’ Boston’s subway system.  The defect allowed any person with a few easily available tools to ride the T for free.  The students wrote a white paper on the subject, and created a presentation for the DefCon conference, where they hoped to share their results with the research community.  Not so fast, said the Massachusetts Bay Transportation Authority (MBTA).

Rather than enjoying the ‘A’ they received on the project, the students wound up in the middle of a federal lawsuit with the T (PDF).  Even though the students shared their findings (PDF) with the MBTA a month in advance of the conference, a gag order (PDF) was issued and the students were prevented from disclosing any of their research to anyone.  Ironically, as a result of the lawsuit, their research became part of the public record, and thus available to anyone with a computer.  Ultimately, the Electronic Frontier Foundation (EFF), a progressive legal fund, came to the students’ aid to get the gag order overturned.  But they shouldn’t have to.

This class of “hacker” is more correctly identified as a “security expert.”  The MIT case represents the result of yet another faulty invocation of the Computer Fraud and Abuse Act (which has been expanded four times since its enactment in 1986, most notably by the PATRIOT Act).  The gag order was based on the Judge’s assumption that speech regarding the MBTA’s security defect was equivalent to hacking the MBTA’s systems.  Following that rationale, any person giving a speech about any dangerous vulnerability could be restrained by the court and held liable.  I don’t remember the little Dutch boy being hauled into the Hague after he called attention to the hole in the dyke.  Shouldn’t this type of speech, which alerts the public – and the company affected – to danger (but does not incite them to exploit the danger) be protected just as vigorously by the First Amendment as journalistic reporting?

Full disclosure means that discoveries of security flaws may be communicated in their entirety to the public without censorship or repercussions.  Opponents of full disclosure argue that disclosing “secrets” doesn’t make us safer because it gives bad guys the information they need to exploit the flaw.  That may be so, but bad guys (who are working way harder than researchers) can use a “secret” vulnerability indefinitely.  If instead the flaw is publicly exposed, the company has no choice but to fix the flaw immediately; in fact, kindly researchers often provide the fix free of charge.  Researchers that report these flaws publicly perform a public service; after all, the only way to test a lock is to try to break it.  But courts continue to treat full disclosure as an illegal form of speech.

Lower courts, at nearly every mention of the word “hacking,” have sided with companies’ interests in secrecy and silence, leaving these alleged criminals pleading the First (PDF).  It is time that we recognize the efforts of these security experts for what they are: a benevolent attempt to make security better and our country safer. In fact, those same “criminals” that found a gaping hole in the MBTA’s security are now hard at work on a way to generate energy from the shock absorbers in your car.

As the Hackers tag line suggests: Perhaps “their only crime is curiosity.”

Photo courtesy of Flickr user kankie.

The article incorporates a variety of sources including primary sources, if possible and features effective use of buyresearchpapers.net anecdote, narration, quotation, humor, etc.
Published in: on September 9, 2008 at 8:57 pm Comments Off on Secrets, Secrets Are No Fun: Hacking and the First Amendment

Comments are closed.